02 - SUPERTRACK B — RP-01 Runtime Instance / Result / Evidence Tables (REFINED_BLOCKING)

Core refinement

The corrected package defined the 27 manifest child-contracts (REQUIREMENTS/AUTHORITY) and the support/anchor registries, but the RUNTIME FACT/EVIDENCE tables that the hash maps and partition strategy consume are undefined. These tables are a THIRD, distinct category:

• (a) 27 manifest child-contracts = sealed AUTHORITY (policy/threshold/exact-set).
• (b) support/anchor registries = evidence_registry, principal_registry, human_identity_registry, analyzer_run, manifest_activation, code_catalog, operator_operand_compatibility.
• (c) RUNTIME INSTANCE/RESULT/EVIDENCE tables = the append-only facts produced at runtime (this RP).

Critical classification: category (c) tables are owner-controlled, append-only, hash-bound, and EXACT-SET ENUMERATED, but they are NOT authority surfaces and NOT child-contracts. Adding them does NOT change the "exactly 27" count and does NOT create a 28th authority surface. They hold evidence/facts, not policy. They must still be enumerated/owned/append-only/hash-bound so they cannot be tampered to fake readiness (an unenumerated mutable evidence table would be a bypass vector).

Enumerated category-(c) tables (12)

For each: purpose; DDL add vs downscope; owner; Directus; FK targets; hash inclusion; retention/partition; rollback; negative tests.

1. signoff_binding — per-activation reviewer/binder signoff instance (feeds H04 signoff_binding, H02 signoff_binding_hashes). FK: activation_id→manifest_activation, target_id, plan_content_hash, scope_hash, tier_id→tier_manifest.item_id, action_id→authority_action_manifest.item_id, required_principal_class_id→principal_class_manifest.item_id, reviewer_principal_id/binder_principal_id→principal_registry, reviewer_human_identity_id/binder_human_identity_id→human_identity_registry, reviewer_evidence_id/binding_evidence_id→evidence_registry, control_epoch, signed_at, bound_at, valid_until. Validity governed by signoff_requirement_manifest.max_age_seconds (sealed, not a literal). Owner qt001_cp_owner; Directus no DML. Hash: H04 + H02. Retention: identity-anchor-like (keep; supersede/revoke only). Rollback: append-only; new version never edits. Neg tests: wrong target, stale (> sealed max_age), expired, revoked, wrong/extra class, same-human conflict (RP-06), Directus DML.
2. capability_run — one capability verification run (feeds H05 run). FK: capability_id→capability_manifest.item_id, workload_profile_id→workload_profile_manifest.item_id, verifier_principal_id→principal_registry, evidence_id→evidence_registry, control_epoch, started_at, finalized_at, environment_sha256. DDL add. Hash H05 + H02 capability_evidence_hashes. Partition: high-volume → storage_class retention (RP-02). Neg: missing run, stale, wrong verifier class, unfinalized.
3. capability_measurement — measured metric values per run (feeds H05 measurements). FK: run_id→capability_run, measurement_requirement_id→capability_measurement_requirement.item_id, metric_id→metric_manifest.item_id, typed measured value columns (same typed-operand discipline as CP-04), evaluated_pass boolean derived by generic guard. DDL add. Hash H05. Partition: high-volume. Neg: measurement for unknown requirement, wrong unit/type, missing measurement vs required set (both-EXCEPT).
4. capability_artifact — artifacts produced per run (feeds H05 artifacts). FK: run_id→capability_run, artifact_requirement_id→capability_artifact_requirement.item_id, artifact_kind_id→code_catalog_item (family ARTIFACT_KIND), evidence_id→evidence_registry. DDL add. Hash H05. Neg: count < minimum_count, wrong kind, missing evidence.
5. capability_environment — environment snapshot per run (feeds H05 environment); MAY be folded into capability_run.environment_sha256 + an environment evidence row rather than a standalone table. Decide explicitly. Hash H05.
6. gate_fact_result — readiness gate fact evaluations per gate per epoch (consumed by the 14 readiness gates; feeds H02 / readiness). FK: gate_id→readiness_gate_manifest.item_id, control_epoch, fact_sha256, evidence_id→evidence_registry, measured_at, pass boolean (generic-guard-derived, not authored). DDL add. Partition: high-volume. Neg: stale (> gate max_age_seconds), missing gate fact vs ACTIVE gate set (both-EXCEPT), Directus DML.
7. bypass_vector_fact_result — bypass vector fact evaluations (consumed by NO_BYPASS_ALL_BLOCKED gate). FK: vector_id→bypass_vector_manifest.item_id, control_epoch, fact_sha256, evidence_id→evidence_registry, blocked boolean (derived). DDL add. Partition: high-volume. Neg: stale, missing vector fact vs ACTIVE vector set (both-EXCEPT), any vector not blocked → readiness FAIL.
8. quorum_vote — per-activation quorum votes/approvals (feeds activation/quorum evaluation, relates to H07). FK: activation_id→manifest_activation, quorum_profile_id→code_catalog_item (family QUORUM_PROFILE), required_principal_class_id→principal_class_manifest.item_id, principal_id→principal_registry, human_identity_id→human_identity_registry, evidence_id→evidence_registry, voted_at. DDL add. Hash: contributes to H07 quorum_profile_hash binding. Neg: insufficient count vs quorum_requirement_manifest.required_count, same-human two slots (RP-06), stale.
9. denied_attempt_evidence — denied-attempt log (doc-09 partition target). FK: evidence_id→evidence_registry, object_identity, attempted_action, control_epoch, occurred_at. DDL add. Partition: high-volume → storage_class retention. Append-only. Neg: Directus DML, mutation.
10. dashboard_export — self-audit dashboard exports (doc-09 partition target). FK: evidence_id→evidence_registry, export_sha256, control_epoch, exported_at. DDL add. Partition: high-volume. NOTE mutable-denominator concern: the dashboard must read sealed denominators (ACTIVE manifest expected_item_count), never compute its own; this is an explicit named check. Neg: denominator not equal to sealed value → FAIL.
11. level_b_packet_execution — Level-B operator packet executions (doc-09 partition target; feeds Level-B evidence). FK: principal_id→principal_registry, human_identity_id→human_identity_registry, evidence_id→evidence_registry, control_epoch, executed_at. DDL add. Partition: high-volume. Neg: unknown/shared identity, stale, Directus DML.
12. post_activation_verifier_state — post-activation verification result (feeds H02 post_activation_verifier_state). FK: activation_id→manifest_activation, verifier_principal_id→principal_registry, evidence_id→evidence_registry, state, verified_at. DDL add. Hash H02. Neg: missing verifier state post-activation → readiness FAIL.

Note: H06 dependency_manifest hash is ALREADY satisfied — its inputs (dependency_manifest child 11, analyzer_contract_manifest child 24, analyzer_run doc 09, dynamic_sql_target_manifest child 22) are all defined. RP-01 must NOT over-claim H06 needs new tables.

Implementation boundary for Codex

• Path A (recommended): publish byte-level DDL for tables 1–4, 6–12 (and decide 5 fold vs standalone), each: owner qt001_cp_owner, Directus/PUBLIC no DML, append-only immutable trigger, FK targets as above, partition key (created_at/finalized_at) where high-volume, and membership in a sealed runtime_evidence_object_set (exact-set enumerated, so the set itself is owner-controlled and hash-bound).
• Path B (explicit downscope): declare them FIX7-author-mode tables under the same owner/seal/append-only/hash rules, and bind a MANDATORY rule that their exact columns are pinned and Codex-re-audited (hash-map column binding) BEFORE any apply.

Cross-impact (required fields)

• Affected docs: 07 (H02/H04/H05), 09 (partition targets), 10 (signoff), and the readiness-gate adapter spec (gate/vector fact-results).
• Affected contracts/tables/manifests: capability_manifest #13, capability_measurement_requirement #14, capability_artifact_requirement #15, signoff_requirement_manifest #16, tier_manifest #17, authority_action_manifest #07, principal_class_manifest #06, quorum_requirement_manifest #19, readiness_gate_manifest #09, bypass_vector_manifest #12, workload_profile_manifest #23; manifest_activation, evidence_registry, principal_registry, human_identity_registry.
• Affected hashes: H04 signoff_binding, H05 capability_evidence, H02 control_state (signoff_binding_hashes, capability_evidence_hashes, post_activation_verifier_state). H06 unaffected. H01 unaffected (excludes lifecycle/evidence).
• Affected readiness gates: SIGNOFF_AUTHENTIC (signoff_binding), CAPABILITY_BEHAVIORAL (capability_run/measurement/artifact), NO_BYPASS_ALL_BLOCKED (bypass_vector_fact_result), DEPENDENCY_TRUTH (gate facts; inputs already defined), plus every gate produces a gate_fact_result. No NEW gate (stays 14).
• Affected bypass vectors: the ACTIVE BYPASS_VECTOR set is consumed via bypass_vector_fact_result; an unenumerated evidence table would itself be a new bypass vector, which this exact-set enumeration closes.
• Affected rollback path: append-only; rollback = new version; never edits these rows. Tables must exist before readiness evaluates; reversal drops empty candidate-only tables per the consolidated order (RP-03).
• Affected Directus/read path: none — Directus gets no DML/SELECT on category-(c) tables (they are control-plane evidence, not business base tables).
• Affected PG-native enforcement: append-only immutable trigger, owner-only, FK RESTRICT, partition by time; pass/blocked booleans are GENERIC-GUARD-DERIVED, never authored.
• Affected no-hardcode proof: closes the "routed-later instance layer" risk in supertrack J; the exact-set enumeration prevents an unsealed mutable evidence surface.
• Verification after Codex edits: every H04/H05/H02 sub-payload key resolves to a named table.column; every doc-09 partition target has a CREATE TABLE; the runtime_evidence_object_set is sealed and its members owner-only/append-only; negative tests above pass; "27" count and "no 28th authority surface" both still hold (category-(c) is explicitly non-authority).

Refined verdict: REFINED_BLOCKING.